Home

Awesome

Violations Command Line

Maven Central NPM NPM Downloads Docker Pulls

This is a command line tool that will find report files from static code analysis, present and optionally fail the command. It uses the Violations Lib.

VersionJava Version
version < 2.0.08
2.0.0 <= version11

Run it with:

npx violations-command-line -s ERROR -mv 0 \
 -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
 -v "JSLINT" "." ".*jshint/report\.xml$" "JSHint"

It can parse results from static code analysis and:

npx violations-command-line -vf violations-report.json \
 -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle"
npx violations-command-line -cc code-climate-report.json \
 -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle"
npx violations-command-line -sa sarif-report.json \
 -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle"

A snippet of the output may look like this:

...
se/bjurr/violations/lib/example/OtherClass.java
╔══════════╤════════════╤══════════╤══════╤════════════════════════════════════════════════════╗
║ Reporter │ Rule       │ Severity │ Line │ Message                                            ║
╠══════════╪════════════╪══════════╪══════╪════════════════════════════════════════════════════╣
║ Findbugs │ MS_SHOULD_ │ INFO     │ 7    │ Field isn't final but should be                    ║
║          │ BE_FINAL   │          │      │                                                    ║
║          │            │          │      │                                                    ║
║          │            │          │      │    <p>                                             ║
║          │            │          │      │ This static field public but not final, and        ║
║          │            │          │      │ could be changed by malicious code or              ║
║          │            │          │      │         by accident from another package.          ║
║          │            │          │      │         The field could be made final to avoid     ║
║          │            │          │      │         this vulnerability.</p>                    ║
╟──────────┼────────────┼──────────┼──────┼────────────────────────────────────────────────────╢
║ Findbugs │ NM_FIELD_N │ INFO     │ 6    │ Field names should start with a lower case letter  ║
║          │ AMING_CONV │          │      │                                                    ║
║          │ ENTION     │          │      │                                                    ║
║          │            │          │      │   <p>                                              ║
║          │            │          │      │ Names of fields that are not final should be in mi ║
║          │            │          │      │ xed case with a lowercase first letter and the fir ║
║          │            │          │      │ st letters of subsequent words capitalized.        ║
║          │            │          │      │ </p>                                               ║
╚══════════╧════════════╧══════════╧══════╧════════════════════════════════════════════════════╝

Summary of se/bjurr/violations/lib/example/OtherClass.java
╔══════════╤══════╤══════╤═══════╤═══════╗
║ Reporter │ INFO │ WARN │ ERROR │ Total ║
╠══════════╪══════╪══════╪═══════╪═══════╣
║ Findbugs │ 2    │ 0    │ 0     │ 2     ║
╟──────────┼──────┼──────┼───────┼───────╢
║          │ 2    │ 0    │ 0     │ 2     ║
╚══════════╧══════╧══════╧═══════╧═══════╝


Summary
╔════════════╤══════╤══════╤═══════╤═══════╗
║ Reporter   │ INFO │ WARN │ ERROR │ Total ║
╠════════════╪══════╪══════╪═══════╪═══════╣
║ Checkstyle │ 4    │ 1    │ 1     │ 6     ║
╟────────────┼──────┼──────┼───────┼───────╢
║ Findbugs   │ 2    │ 2    │ 5     │ 9     ║
╟────────────┼──────┼──────┼───────┼───────╢
║            │ 6    │ 3    │ 6     │ 15    ║
╚════════════╧══════╧══════╧═══════╧═══════╝

GitHub

GitHub is supported via SARIF. This tool can export SARIF format and it can be uploaded to Github to get feedback in pull-requests.

name: My workflow

on: [workflow_call, push, pull_request]

jobs:
  build:
    permissions:
      security-events: write
      actions: read
      contents: read
    steps:
      - name: Build
        run: |
          your-build-command-here
      - name: Transorm static code analysis to SARIF
        if: success() || failure()
        run: |
          npx violations-command-line -sarif sarif-report.json \
          -v "FINDBUGS" "." ".*spotbugs/main\.xml$" "Spotbugs" \
          -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
          -v "PMD" "." ".*pmd/main\.xml$" "PMD" \
          -v "JUNIT" "." ".*test/TEST-.*\.xml$" "JUNIT"
      - uses: github/codeql-action/upload-sarif@v3
        if: success() || failure()
        with:
          sarif_file: sarif-report.json
          category: violations-lib

GitLab

GitLab is supported via CodeClimate. This tool can export CodeClimate format and it can be uploaded to GitLab to get feedback in pull-requests.

If you export CodeClimate like this:

npx violations-command-line -cc code-climate-report.json \
  -v "FINDBUGS" "." ".*spotbugs/main\.xml$" "Spotbugs" \
  -v "CHECKSTYLE" "." ".*checkstyle/main\.xml$" "Checkstyle" \
  -v "PMD" "." ".*pmd/main\.xml$" "PMD" \
  -v "JUNIT" "." ".*test/TEST-.*\.xml$" "JUNIT"

You can upload it like this:

  artifacts:
    paths:
      - code-climate-report.json
    reports:
      codequality: code-climate-report.json

Formats

Example of supported reports are available here.

A number of parsers have been implemented. Some parsers can parse output from several reporters.

ReporterParserNotes
ARM-GCCCLANG
AndroidLintANDROIDLINT
Ansible-LaterANSIBLELATERWith json format
AnsibleLintFLAKE8With -p
BanditCLANGWith bandit -r examples/ -f custom -o bandit.out --msg-template "{abspath}:{line}: {severity}: {test_id}: {msg}"
CLangCLANG
CPDCPD
CPPCheckCPPCHECKWith cppcheck test.cpp --output-file=cppcheck.xml --xml
CPPLintCPPLINT
CSSLintCSSLINT
CheckstyleCHECKSTYLE
CloudFormation LinterJUNITcfn-lint . -f junit --output-file report-junit.xml
CodeClimateCODECLIMATE
CodeNarcCODENARC
CoverityCOVERITY
DartMACHINEWith dart analyze --format=machine
Dependency CheckSARIFUsing --format SARIF
DetektCHECKSTYLEWith --output-format xml.
DocFXDOCFX
DoxygenCLANG
ERBCLANGWith erb -P -x -T '-' "${it}" | ruby -c 2>&1 >/dev/null | grep '^-' | sed -E 's/^-([a-zA-Z0-9:]+)/${filename}\1 ERROR:/p' > erbfiles.out.
ESLintCHECKSTYLEWith format: 'checkstyle'.
FindbugsFINDBUGS
Flake8FLAKE8
FxCopFXCOP
GCCCLANG
GHSGHS
GendarmeGENDARME
Generic reporterGENERICWill create one single violation with all the content as message.
GoLintGOLINT
GoVetGOLINTSame format as GoLint.
GolangCI-LintCHECKSTYLEWith --out-format=checkstyle.
GoogleErrorProneGOOGLEERRORPRONE
HadoLintCHECKSTYLEWith -f checkstyle
IARIARWith --no_wrap_diagnostics
InferPMDFacebook Infer. With --pmd-xml.
JACOCOJACOCO
JCReportJCREPORT
JSHintJSLINTWith --reporter=jslint or the CHECKSTYLE parser with --reporter=checkstyle
JUnitJUNITIt only contains the failures.
KTLintCHECKSTYLE
KlocworkKLOCWORK
KotlinGradleKOTLINGRADLEOutput from Kotlin Gradle Plugin.
KotlinMavenKOTLINMAVENOutput from Kotlin Maven Plugin.
LintLINTA common XML format, used by different linters.
MSBuildLogMSBULDLOGWith -fileLogger use .*msbuild\\.log$ as pattern or -fl -flp:logfile=MyProjectOutput.log;verbosity=diagnostic for a custom output filename
MSCppMSCPP
MccabeFLAKE8
MyPyMYPY
NullAwayGOOGLEERRORPRONESame format as Google Error Prone.
PCLintPCLINTPC-Lint using the same output format as the Jenkins warnings plugin, details here
PHPCSCHECKSTYLEWith phpcs api.php --report=checkstyle.
PHPPMDPMDWith phpmd api.php xml ruleset.xml.
PMDPMD
Pep8FLAKE8
PerlCriticPERLCRITIC
PiTestPITEST
ProtoLintPROTOLINT
Puppet-LintCLANGWith -log-format %{fullpath}:%{line}:%{column}: %{kind}: %{message}
PyDocStylePYDOCSTYLE
PyFlakesFLAKE8
PyLintPYLINTWith pylint --output-format=parseable.
ReSharperRESHARPER
RubyCopCLANGWith rubycop -f clang file.rb
SARIFSARIFv2.x. Microsoft Visual C# can generate it with ErrorLog="BuildErrors.sarif,version=2".
SbtScalacSBTSCALAC
ScalastyleCHECKSTYLE
SemgrepSEMGREPWith --json.
SimianSIMIAN
SonarSONARWith mvn sonar:sonar -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json. Removed in 7.7, see SONAR-11670 but can be retrieved with: curl --silent 'http://sonar-server/api/issues/search?componentKeys=unique-key&resolved=false' | jq -f sonar-report-builder.jq > sonar-report.json.
SpotbugsFINDBUGS
StyleCopSTYLECOP
SwiftLintCHECKSTYLEWith --reporter checkstyle.
TSLintCHECKSTYLEWith -t checkstyle
ValgrindVALGRINDWith --xml=yes.
XMLLintXMLLINT
XUnitXUNITIt only contains the failures.
YAMLLintYAMLLINTWith -f parsable
ZPTLintZPTLINT

52 parsers and 79 reporters.

Missing a format? Open an issue here!

Usage

Available parsers are:
ANDROIDLINT, ANSIBLELATER, CHECKSTYLE, CODENARC, CLANG, COVERITY, CPD, CPPCHECK, CPPLINT, CSSLINT, GENERIC, GHS, FINDBUGS, FLAKE8, MACHINE, FXCOP, GENDARME, IAR, JACOCO, JCREPORT, JSLINT, JUNIT, LINT, KLOCWORK, KOTLINMAVEN, KOTLINGRADLE, MSCPP, MSBULDLOG, MYPY, GOLINT, GOOGLEERRORPRONE, PERLCRITIC, PITEST, PMD, PROTOLINT, PYDOCSTYLE, PYLINT, RESHARPER, SARIF, SBTSCALAC, SEMGREP, SIMIAN, SONAR, STYLECOP, XMLLINT, YAMLLINT, ZPTLINT, DOCFX, PCLINT, CODECLIMATE, XUNIT, VALGRIND

Usage: violations-command-line [-dpv] [--help] [-pv] [-show-debug-info]
                               [-show-json-config] [-cc=<codeClimateFileArg>]
                               [-cf=<configFileArg>] [-ddl=<diffDetailLevel>]
                               [-df=<diffFrom>] [-dl=<detailLevelArg>]
                               [-dmv=<diffMaxViolations>]
                               [-ds=<diffMinSeverity>] [-dt=<diffTo>]
                               [-gr=<gitRepoArg>] [-jmc=<jacocoMinCoverage>]
                               [-jmlc=<jacocoMinLineCount>]
                               [-mlcw=<maxLineColumnWidth>]
                               [-mmcw=<maxMessageColumnWidth>]
                               [-mrcw=<maxReporterColumnWidth>]
                               [-mrucw=<maxRuleColumnWidth>]
                               [-mscw=<maxSeverityColumnWidth>]
                               [-mv=<maxViolationsArg>] [-s=<minSeverityArg>]
                               [-ss=<sarifFileArg>] [-vf=<violationsFileArg>]
                               [-v=<violationsArg>]...
      -cc, -code-climate=<codeClimateFileArg>
                          Create a CodeClimate file with all the violations.
      -cf, -config-file=<configFileArg>
                          Will read config from given file. Can also be
                            configured with environment variable
                            VIOLATIONS_CONFIG. Format is what you get from
                            -show-json-config.
      -ddl, -diff-detail-level=<diffDetailLevel>
                          VERBOSE, COMPACT, PER_FILE_COMPACT
      -df, -diff-from=<diffFrom>
                          Can be empty (ignored), Git-commit or any
                            Git-reference
      -dl, -detail-level=<detailLevelArg>
                          Verbosity VERBOSE, COMPACT, PER_FILE_COMPACT
      -dmv, -diff-max-violations=<diffMaxViolations>
                          Will fail the build if total number of found
                            violations is higher
      -dpv, -diff-print-violations
                          Will print violations found in diff
      -ds, -diff-severity=<diffMinSeverity>
                          INFO, WARN, ERROR
      -dt, -diff-to=<diffTo>
                          Can be empty (ignored), Git-commit or any
                            Git-reference
      -gr, -git-repo=<gitRepoArg>
                          Where to look for Git.
      --help              display this help and exit
      -jmc, -jacoco-min-coverage=<jacocoMinCoverage>
                          Minimum coverage in Jacoco that will generate a
                            violation.
      -jmlc, -jacoco-min-line-count=<jacocoMinLineCount>
                          Minimum line count in Jacoco that will generate a
                            violation.
      -mlcw, -max-line-column-width=<maxLineColumnWidth>
                          0 means no limit
      -mmcw, -max-message-column-width=<maxMessageColumnWidth>
                          0 means no limit
      -mrcw, -max-reporter-column-width=<maxReporterColumnWidth>
                          0 means no limit
      -mrucw, -max-rule-column-width=<maxRuleColumnWidth>
                          0 means no limit
      -mscw, -max-severity-column-width=<maxSeverityColumnWidth>
                          0 means no limit
      -mv, -max-violations=<maxViolationsArg>
                          Will fail the build if total number of found
                            violations is higher.
      -pv, -print-violations
                          Will print violations found
  -s, -severity=<minSeverityArg>
                          Minimum severity level to report. INFO, WARN, ERROR
      -show-debug-info    Please run your command with this parameter and
                            supply output when reporting bugs.
      -show-json-config   Will print the given config as JSON.
      -ss, -sarif=<sarifFileArg>
                          Create a Sarif file with all the violations.
  -v, --violations=<violationsArg>
                          Format: <PARSER> <FOLDER> <REGEXP PATTERN> <NAME>,
                            Example: -v "JSLINT" "." ".*/jshint.xml$" "JSHint"
      -vf, -violations-file=<violationsFileArg>
                          Create a JSON file with all the violations.

Checkout the Violations Lib for more documentation.